We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

California Attorney General issues recommendations for privacy policies and do not track disclosures

On May 21, 2014, the California Attorney General, Kamala D. Harris, issued her long-awaited guidance for complying with the California Online Privacy Protection Act (“CalOPPA”). “Making Your Privacy Practices Public,” which can be found here, provides specific recommendations on how businesses are to comply with CalOPPA’s requirements to disclose and comply with a company-drafted privacy policy.

As we have written about in the past, CalOPPA is the California privacy statute that requires any company that collects personally identifiable information from a California resident online, whether via a commercial website or a mobile application, to draft and comply with a privacy policy that conforms with the guidelines provided in it. More recently, CalOPPA was amended to include information on how the website operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect personally identifiable information about the site’s users.

Explain whether the privacy policy covers just online data collection and use, or both online and offline

Clearly indicate which entities, such as subsidiaries or affiliates, the privacy policy covers

Make the Policy AVAILABLE

Make the policy conspicuously available:

If a Website, use a conspicuous link on the homepage containing the word “privacy”; put the “privacy” link on every web page collecting personal information; format the policy so it can be printed as a separate document

If a Mobile application, post or link the policy on application’s platform page so users can review prior to download; and include a link to the policy from within the mobile application

Make the Policy READABLE

Use plain, straightforward language. Avoid technical or legal jargon. Use graphics and icons, where appropriate.

Describe how you collect PII on users or visitors – (a) using which technologies (i.e., cookies, web beacons); and (b) from any other sources

Disclose your ONLINE TRACKING / DO NOT TRACK (“DNT”) Response

Clearly label for the consumer your policy regarding online tracking, e.g., “How We Respond to Do Not Track Signals” or “California Do Not Track Disclosures”

Describe how you respond to a Do Not Track signal within your privacy policy, and not by providing a link to another website, e.g.:

Do you treat consumers whose browsers send a DNT signal differently from those without one?

After the DNT signal, do you still collect a consumer’s PII over time or across third-party websites?

If so, what are the uses of the consumer’s PII?

If you decide not to describe your response to a DNT signal or another mechanism:

Provide a clear and conspicuous link to a program that offers consumers a choice about online tracking

Identify the program with a brief, general description of what it is

Acknowledge that you comply with the program

Make sure that the linked page contains a clear statement about the program’s effects on the consumer, i.e., whether participation results in stopping the collection of PII across websites on online services over time

Make sure that the linked page makes clear what the consumer must do to exercise the choice offered by the program

Disclose whether third parties are or may be collecting the PII of consumers while they are on your site or service

Consider whether only approved third parties are collecting PII on your site

Consider how you would verify that authorized third parties are not bringing unauthorized parties to your site

Can you ensure that authorized third-party trackers comply with your DNT policy?

Disclose your DATA USE and DATA SHARING

Describe – (a) what PII you collect from users; (b) how you use it; and (c) how long you retain that information

List the categories of personal information collected from users and visitors, and the retention period for each category

List the categories of companies with which you share customer personal information

Explain any uses of PII not related to fulfilling a customer transaction, or other basic function of an online service

If possible, provide a link to the privacy policies of third parties with whom you share PII

Allow for INDIVIDUAL CHOICE and ACCESS

Describe the consumer’s choices related to the collection, use, and sharing of his or her personal information

Abide with the consumer’s choices and ensure that they are always honored

Implement the choices within a reasonable time period

Consider offering your customers the opportunity to review and correct personal information. If you do so:

Explain how one can review the information

Properly verify identity and authenticate any access to the information

Control and document customer changes or corrections to personal information through audit logs or transaction histories

Describe your SECURITY SAFEGUARDS

Include a general description of security measures used to safeguard PII (held by you and/or third parties)

Include EFFECTIVE DATE

Ensure that privacy policy is uniform throughout the organization

Explain how you will notify customers about material changes to your privacy policy

Do not use changes to the privacy policy on your website as the exclusive means of notifying customers of material changes in your uses or sharing of personal information

Allow for ACCOUNTABILITY

Provide contact information for questions or concerns about your privacy policies and practices. At minimum, include a title and email or postal address of company official who will respond to privacy questions/concerns. Consider offering a toll-free number.

Train customer service telephone staff to respond to inquiries about privacy

In releasing these guidelines, Attorney General Kamala Harris continues to be a highly aggressive figure in the area of online privacy. Her office has made it a top priority to ensure these new online privacy laws are enforced. The California attorney general's office has already shown its commitment in enforcing CalOPPA in its lawsuit against Delta Airlines for violation of this statute.

While some of these Guidelines may be aspirational, the issuance of this advice is a good reminder to review your privacy policy against all relevant law and best practice standards.